← Lessons

quiz vs the machine

Platinum1780

Networking

Certificate Transparency

How public logs make mis-issued certificates detectable.

5 min read · advanced · beat Platinum to climb

The trust gap it fills

Any trusted certificate authority can technically issue a certificate for any domain. Historically a compromised or careless authority could mint a certificate for a site the real owner never requested, and nobody would notice. Certificate Transparency, or CT, makes every issued certificate publicly visible so mis-issuance can be caught.

How the logs work

CT relies on append only public logs that record certificates.

  • An authority submits a certificate to one or more logs and receives a signed certificate timestamp, a promise that the certificate will appear in the log.
  • Browsers require this timestamp before trusting the certificate.
  • Domain owners and monitors scan the logs to spot certificates they never asked for.

The logs use a Merkle tree so anyone can verify that a certificate is included and that the log never removed or altered earlier entries. Auditors check that what a log promised it actually published. The system does not prevent mis-issuance directly, but it makes hiding it nearly impossible, turning a silent attack into a public, detectable event.

Key idea

Certificate Transparency records every certificate in append only public logs so domain owners can detect mis-issuance that would otherwise stay hidden.

Check yourself

Answer to earn rating on the learn ladder.

1. What does a signed certificate timestamp promise?

2. What data structure lets anyone verify a log is append only?

3. What does Certificate Transparency actually guarantee?